OASIS-3rd-deliveatble-startx

parisfawnΤεχνίτη Νοημοσύνη και Ρομποτική

17 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

62 εμφανίσεις

Multi
-
factor
Authentication Methods

Taxonomy


Abbie Barbir

Authentication Strength

2


(entity) authentication: A process used to achieve sufficient confidence in the binding
between the entity and the presented identity.


What is Authentication Strength (or Trust in the Authentication Step)?


Measures how difficult it is for imposter to masquerade as the legitimate user


Authentication strength is often more formally expressed as a "level of assurance“
(ITU X.1254 and ISO 29115 (Based on NIST 800 63))


Two
-
factor authentication

(TFA, T
-
FA or 2FA) is an approach to

authentication

which
requires the presentation of two or more factors from the same or different category


Multi
-
factor authentication uses more that 2 factors from different categories


Analysis


Overall objective is to elevate Trust in the Authentication step


Established terms, such as “2FA" are no longer precise enough to guide
technology decisions


Choosing the method or methods appropriate for the needs of securing the
enterprise using appropriate comparisons of different vendors' products and
services require a more granular taxonomy

How to determine the "Best" Authentication Method

3

Use Needs and Constraints to Determine


Authentication strength



indicated by the level of risk


Total Cost of Ownership


Constrained by budget


Ease of use



universally desirable, but it is less
critical the greater the consistency


Other constraints


consistency and control of the
endpoint is a particular constraint;


Source of Figure is Gartner

Elevating Trust in Authentication Strength Level

4


Increasing
the strength of
authentication can be done by
adding factors from
the same or different
kinds of authentication
categories
that
don’t have the
same vulnerabilities.


There are five categories of
authentication methods


who you are,


what you know,


what you have,


what you typically do and


the context.


What you typically do consists of behavioral habits that are independent of
physical biometric attributes.


Context includes, “but is not limited” to, location, time, party, prior
relationship, social relationship and source.


Authentication assurance or elevation can
be within the classic four X.1254
ITU
-
T
LoA

(ISO 29115 (NIST 800
-
063
))


Adding factors from different categories can increase strength only if the
overall set of vulnerabilities is reduced.

Mostly used to provide

Secondary Attributes

Authentication Categories

5

Who You
Are

Biometric

what you

know

what you


have

what you

Do

Context

Physical

Biometric


immutable and unique


Facial recognition


Iris Scan


Retinal Scan


Fingerprint Palm Scan


Voice


Liveliness biometric
factors include:


Pulse.
CAPTCHA; etc

Behavioral

Biometric


based on person’s
physical behavioural
activity patterns


Keyboard
signature


Voice



User Name and
Password (UN/PW),
A passphrase, a PIN


Very often used
alone or in
combinations with
KBA methods.


Knowledge Based
Authentication
(KBA)


Static KBA


Dynamic
KBA


One Time
Password
(OTP)


Smart card


X.509 and
PKI


Rarely used
alone


Used in
combination
with UN/PW
and a PIN



Browsing
patterns


Time of
access


Type of
device


Used in
Combinatio
n with other
methods





Location;
Time of
access;


Subscriber
identity
module (SIM)


Frequency of
access;


Source and
endpoint
identity
attributes such
as


Used in
Combination
of other
methods

How to Evaluate Authentication Strength

1. Two aspects to consider


Method's

resistance to attack


how difficult is it for an attacker to directly compromise or undermine the authentication
method (without the user's knowing collusion)


Method resistance to wilful misuse



how difficult is it for a user to deliberately allow others to share his account?

2. Authentication Strength


Measures how hard it is for another person to masquerade as the legitimate user


Authentication may be undermined by two kinds of attacks:


Masquerade attacks,

in which an attacker is (by some means) able to corroborate a falsely
claimed digital identity and, thus, log in as a legitimate user.


Session hijacking attacks,

such as a man
-
in
-
the browser attack, which take control of or
parasitize an already
-
authenticated session after a legitimate user's claimed digital identity
has been corroborated.


6

Session hijacking attacks bypass authentication and, thus, can succeed no matter how strong
the authentication method is.

There is always a need for fraud detection, misuse monitoring

and other compensating controls in order to elevate trust .

Source : Gartner

How to Evaluate Authentication Strength


Combining two or more authentication methods can potentially increases
authentication strength, compared with using either one.


For example, passwords are vulnerable to key logging


adding a second, partial password entered via drop down menu may
reduce vulnerability to this attack.


Point of Caution


Each type of authentication attribute has a set of overlapping and
intrinsic vulnerabilities with other attributes


A combination of two attributes of the same type tends to share many of
vulnerabilities


It is a big mistake to assume that strong authentication always result
when combining multiple authentication attributes/factors.

7

Only by combining attributes of different kinds (that is, different factors)
with different (non
-
overlapping) sets of vulnerabilities is there a significant
increase in resistance to attack and, thus, in authentication strength

Source: OASIS, ITU, NIST, Gartner

How to Evaluate Authentication Strength


Not any MFA method is


stronger than an authentication method
based on a single authentication factor/attribute. For example,



For example, a biometric authentication method using heart
beat is stronger than a password + OTP


For some type of attacks, a 2FA method might not be stronger
than one of its components if used alone.



For example, a "fly
-
phishing" attack that captures and
immediately use an OTP will be equally successful whether
the OTP token was PIN
-
protected or not.


Some issues to consider


How Unique is the credential


Level Trust of Binding of credential to entity


8

Source: NIST, Gartner

Evaluating Authentication Strength “Take Away”


Counting Factors is not enough to evaluate authentication strength

9

Source: Gartner

Authentication Process Threats


Online guessing


Phishing


Pharming



Threat Resistance per Assurance Level


10


Eavesdropping


Replay


Session hijack


Man
-
in
-
the
-
middle



Source: ITU
-
T, NIST

Example Calculating the Overall Authentication
Assurance Level (LOA 3)


The overall authentication assurance level is based on the low
watermark (weakest link) of the assurance levels for each of the
components of the architecture. For instance, to achieve an overall
assurance level of 3:


The registration and identity proofing process shall, at a minimum, use
Level 3 processes or higher.


The token (or combination of tokens) used shall have an assurance
level of 3 or higher.


The binding between the identity proofing and the token(s), if proofing
is done separately from token issuance, shall be established at level 3.


The authentication protocols used shall have a Level 3 assurance level
or higher.


The token and credential management processes shall use a Level 3
assurance level or higher


Authentication assertions (if used) shall have a Level 3 assurance or
higher

11

Tokens


A Token is something that the Claimant possesses and controls (typically a
cryptographic module or password) that is used to authenticate the
Claimant’s identity

12


Single
-
factor Token




A token that uses one of the three factors to achieve authentication.



For example, a password is something you know.


There are no additional factors required to activate the token, so this
is considered single factor.


Multi
-
factor Token



A token that uses two or more factors to achieve authentication.


For example, a private key on a smart card that is activated via PIN
is a multi
-
factor token.


The smart card is something you have, and something you know
(the PIN) is required to activate the token.

All Possible Token Types

1. Memorized Secret Token


A secret shared between the Subscriber and the CSP

2. Pre
-
registered Knowledge Token


A series of responses to a set of prompts or challenges

3. Look
-
up Secret Token


A physical or electronic token that stores a set of secrets shared between
the Claimant and the CSP. The token authenticator is the secret(s)
identified by the prompt. Look
-
up secret tokens are something you have.

4. Out of Band Token


A physical token that is uniquely addressable and can receive a Verifier
-
selected secret for one
-
time use. The device is possessed and controlled
by the Claimant and supports private communication19 over a channel
that is separate from the primary channel for e
-
authentication.

5. Single
-
factor (SF) One
-
Time Password (OTP) Device


A hardware device that supports the spontaneous generation of one
-
time
passwords


13

All Possible Token Types

6. Single
-
factor (SF) Cryptographic Device


A hardware device that performs cryptographic operations on input provided to the device.
This device does not require activation through a second factor of authentication

7. Multi
-
factor (MF) Software Cryptographic Token


A cryptographic key is stored on disk or some other “soft” media and requires activation
through a second factor of authentication.

8. Multi
-
factor (MF) One
-
Time Password (OTP) Device


A hardware device that generates one
-
time passwords for use in authentication and which
requires activation through a second factor of authentication


9. Multi
-
factor (MF) Cryptographic Device


A hardware device that contains a protected cryptographic key that requires activation through
a second authentication factor. Authentication is accomplished by proving possession of the
device and control of the key. The token authenticator is highly dependent on the specific
cryptographic device and protocol, but it is generally some type of signed message. For
example, in TLS, there is a “certificate verify” message. The MF Cryptographic device is
something you have, and it may be activated by either something you know or something you
are.

14

Token Threats

15

Source: NIST, ITU
-
T

Token Threat Mitigation Strategies


16

Token Requirements Per Assurance Level


See NIST 800
-
63
-
1

17

NIST: Assurance Levels for Multi
-
Token E
-
Authentication
Schemes

18

Next Steps


Identify tokens that
wedo

support


Determine LOA of each token


Determine LOA of each EAA cycle


Suggest a Table for LOA level


Assume No protocol for now

19



Appendix 1


Token Requirements Per Assurance Level

20

NIST


21

NIST

22

NIST


23

NIST


24